After executing setcap, why I still can't use tar and got an error "operation not permitted"?

### Question I'm doing my internship, working on container security and recently I need to build a container which has security problem to do some tests. Here is my dockerfile FROM dockerfiles/centos-lamp WORKDIR /var/www/html RUN wget https://github.com/RandomStorm/DVWA/archive/v1.0.8.tar.gz -O- | tar xvz --strip-components=1 RUN service mysqld start && mysqladmin -uroot password p@ssw0rd && service mysqld stop EXPOSE 80 USER root COPY ./Centos-vault-6.10.repo /home COPY ./here_u_r.txt /root WORKDIR /home RUN rm -rf /etc/yum.repos.d/* RUN cp -r ./Centos-vault-6.10.repo /etc/yum.repos.d/CentOS-Base.repo RUN yum clean all RUN yum makecache RUN cp /bin/tar . WORKDIR /var/www/html RUN rpm --rebuilddb && yum install -y sudo && yum install -y gcc RUN usermod -aG wheel apache && \ chmod u+s $(which find) && \ chmod 700 $(which getcap) && \ setcap 'cap_dac_read_search=ep' /home/tar CMD ["supervisord", "-n"] You can see, in the penultimate line, I want to give the tar executable in the /home directory the capability in order to read files. But I got an error when I used the tar file to zip something. Can someone give me a hand? PS: I don't understand why when I check the capability of this file, I get **cap_dac_read_search+ep**, either. I didn't use setcap 'cap_dac_read_search+ep' /home/tar, but setcap **'cap_dac_read_search=ep'** /home/tar. ### Actions in my shell + returned results bash-4.1$ ls -la /home/tar ls -la /home/tar -rwxr-xr-x. 1 root root 390616 Aug 24 22:56 /home/tar bash-4.1$ find 1 -exec getcap /home/tar \; find 1 -exec getcap /home/tar \; /home/tar = cap_dac_read_search+ep bash-4.1$ pwd pwd /home bash-4.1$ ./tar -cvf /tmp/my.tar /tmp/1 /tmp/pip-build-root ./tar -cvf /tmp/my.tar /tmp/1 /tmp/pip-build-root bash: ./tar: Operation not permitted